Published On: 11 May 2019
Leaking the list of followers for any Facebook page.
Privacy/Authentication
Facebook | Web
---
UNDEFINED VALIDDescription
An attacker is able to view the list of followers for any Facebook page by browsing the list through mobile version (m.facebook.com) , (mbasic.facebook.com ) .
Impact
Leaking the list of followers for any Facebook page.
Reproduction Steps
Step
1
Create any Facebook page and browse it using the mobile version m.facebook.com
Step
2
Step
3
(see the attached image) As you notice that the Followers Tab is not displayed into mobile version. the tab appeared are banned people page that like this page people who liked this page
Step
4
trying to open each tab and notice the following url (banned users) :
https://m.facebook.com/browse/blocked_users/?id=your_page_id
people who liked this page: https://m.facebook.com/browse/fans/?id=your_page_id
So I tried to change my page id to a victim page id ( page I don't have role in it ) and unfortunately a message appears " you don't have permission to view this list
Step
5
But wait! what about " Followers " tab?
it's not appeared on the UI as we mentioned in the step 3
but if you notice from the step 4 that it's easy to guess the directory name of followers tab!
m.facebook.com/browse/fans/?id=your_page_id
m.facebook.com/browse/blocked_users/?id=your_page_id
the first word come to my mind to guess the followers list directory is "followers"
https://m.facebook.com/browse/followers/?id=Victim_id
I changed it, then changed the parameter id to any Facebook page id, and finally successfully fetching the followers!